OIDC SSO logout on shared Android devices (IdP session not cleared)

Kenyuri · February 16, 2026, 1:58pm

We’re using the Community Health Toolkit (CHT) with OIDC SSO on shared Android devices and are investigating logout behavior to ensure proper user separation and data protection.

Problem

When User A logs into CHT via SSO and then logs out, the local CHT session ends, but the OIDC Identity Provider (IdP) browser session remains active. As a result, when User B opens the app and selects “Login with SSO”, the IdP can silently (or very quickly) re‑authenticate as User A, so User B inherits User A’s access.

Questions

Does CHT currently support RP‑initiated logout (e.g. calling the IdP end_session_endpoint) when a user logs out of CHT?
If not, are there any recommended configurations or workarounds for shared Android devices to prevent reuse of the previous user’s IdP session?
Can CHT be configured to:
- Force re‑authentication on each SSO login (e.g. using prompt=login, max_age=0)

Why this matters

In our deployment, Android devices are routinely shared between health workers. Without a reliable way to ensure that both the CHT session and the IdP session are properly terminated per user, there is a real risk of one user accessing another user’s data or performing actions under the wrong identity.

Any guidance, best practices, or references from other deployments would be greatly appreciated.

mrjones · February 17, 2026, 7:15pm

Hi @Kenyuri - Thanks for posting your question!

The short of it is that we’re going to use work-arounds in the immediate term. Longer term there’s maybe some other options we could think of or add to the CHT

In response to your questions:

Does CHT currently support RP‑initiated logout (e.g. calling the IdP end_session_endpoint) when a user logs out of CHT?

Unfortunately not - the CHT only supports it’s own session cookie being expired which does not affect the OIDC provider’s session. The technical section of the SSO docs cover this as a known limitation (“Back-channel logout is not supported”)

If not, are there any recommended configurations or workarounds for shared Android devices to prevent reuse of the previous user’s IdP session?

The best work around I can think of is to instruct user A to go to the OIDC provider page/app and log out in addition to logging out of the CHT. This will ensure when user B clicks log in, the OIDC provider will force them to login before proceeding.

Additionally, are you still running a shorter default session duration of 8 hours? If this is configured on both the CHT and the Identity Provider, it should offer another level of protection against this scenario.

Can CHT be configured to: Force re‑authentication on each SSO login (e.g. using prompt=login, max_age=0)

The CHT doesn’t offer this configuration either, sorry.

cc @sugat or @jkuester in case there’s anything I’m missing.

jkuester · February 17, 2026, 10:21pm

@mrjones I think you covered things well!

One additional thing I would note with regard to back-channel logout and prompt=login/max_age=0, is that these are definitely things that we would consider implementing in the CHT! I am not super familiar with everything that is required to support back-channel logouts, but specifically for the prompt/max_age params, I think it should be simple to support configuring these in the CHT (or maybe using them by default… ). Looking at some docs it does seem like we would also need to validate the auth_time when using those params… This is the kind of thing I always expected we would iteratively add after releasing the MVP of SSO.

@Kenyuri can you confirm if supporting the max_age param would be sufficient for your orgs needs here? If so, maybe I can work up a GitHub issue with some details.

mrjones · February 18, 2026, 2:10am

Thanks Josh! I was hoping you might have insight on a path toward a medium term solution and you delivered!

Kenyuri · February 18, 2026, 8:15am

Hello @mrjones @jkuester Thank you for your support and ideas. I think the max_age param would be sufficient for now.

jkuester · February 18, 2026, 5:20pm

Issue logged:

github.com/medic/cht-core

Support configuring `max_age` parameter for OIDC login

opened 05:18PM - 18 Feb 26 UTC

jkuester

Type: Feature

**Is your feature request related to a problem? Please describe.** Originally di…scussed [on the forum](https://forum.communityhealthtoolkit.org/t/oidc-sso-logout-on-shared-android-devices-idp-session-not-cleared/5513/2). Currently the CHT [SSO functionality](https://docs.communityhealthtoolkit.org/hosting/sso/) supports basic OIDC authentication whereby the user actually authenticates via a 3rd-party auth provider. The OIDC flow results in the user's client being assigned a valid CouchDB session cookie (aka a valid CHT session cookie). When the user logs out of the app, the session cookie is cleared and they no longer have a valid CHT session. _However_, depending details around the user's device and the 3rd-party auth provider, the user may still have an active session with the 3rd-party auth provider. (E.g. in cht-android, we use an [Android Custom Tab](https://developer.android.com/develop/ui/views/layout/webapps/overview-of-android-custom-tabs) to complete the OIDC auth flow which will have access to sessions on the user's default browser.) This means that if the user again tries to login to the CHT via the SSO flow, they will be redirected to the 3rd-party auth provider. If they already have an active session there, the auth provider may just automatically redirect back to the CHT with the ID token for the user with the current session. This will cause the user to be logged back into the CHT with the same CHT user as before. In many cases, this will be considered a feature (the CHT SSO functionality was designed/intended to work this way). Take the case where a user is logged into their Google account on their phone and Google is configured as the 3rd-party auth provider for their CHT instance. The first time this user opens their CHT app and selects the SSO Login, they can be automatically redirected to/from the Google auth page (without needed to re-authenticate) and the CHT will automatically log them in as the CHT user associated with that Google account. _However_ (as described in the forum thread) this functionality is problematic in some cases (such as where a single device is shared by multiple users). When trying to switch from one SSO user to another, the 3rd-party auth provider may not prompt for the second user to login and instead just return the id token for the first user (who's session with the auth provider is still valid). The second user may not be prompted to login until the existing session with the auth provider is cleared. **Describe the solution you'd like** We should support [passing the `max_age` parameter](https://auth0.com/docs/authenticate/login/max-age-reauthentication) when the CHT api server starts the OIDC login flow. Then we can validate the `auth_time` claim that is returned with the id token and ensure it is within the desired time window (e.g. `60s`). From the [OIDC Spec](https://openid.net/specs/openid-connect-core-1_0.html): The `max_age` parameter is: > OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. .... When max_age is used, the ID Token returned MUST include an auth_time Claim Value. Note that max_age=0 is equivalent to prompt=login. The `auth_time` claim is: > Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. When validating the id token: > If the auth_time Claim was requested, either through a specific request for this Claim or by using the max_age parameter, the Client SHOULD check the auth_time Claim value and request re-authentication if it determines too much time has elapsed since the last End-User authentication. **Describe alternatives you've considered** Similar re-authentication functionality could be achived via the `prompt=login` parameter, but [the auth0 docs](https://auth0.com/docs/authenticate/login/max-age-reauthentication) note: > The prompt=login mechanism can be subverted by simply stripping the parameter as it passes through the user agent (browser) and is only good for providing a UX hint to the provider (OP) in cases when the (RP) wants to display a link like: **Additional context** The changes to the CHT code _should_ be pretty simple. I think we could make the `max_age` parameter value configurable in the `oidc_provider` properties in the CHT instance settings doc. If a value is provided for that settings property, then our api code should provide it [when calling `client.buildAuthorizationUrl`](https://github.com/medic/cht-core/blob/2cbe9c10991de77e5ed7408432474800ea5185d4/api/src/services/sso-login.js#L97). It looks like we can pass it directly when making the `client.buildAuthorizationUrl` call like [in this example](https://github.com/panva/openid-client/discussions/828), or maybe we could just set the [default_max_age](https://github.com/panva/openid-client/blob/b77d87c1e2f5fef6fab501de615fb83a74a0251f/docs/interfaces/ClientMetadata.md#default_max_age) somehow? Then, when [calling `client.authorizationCodeGrant`](https://github.com/medic/cht-core/blob/2cbe9c10991de77e5ed7408432474800ea5185d4/api/src/services/sso-login.js#L119) we should pass the [`maxAge` property](https://github.com/panva/openid-client/blob/b77d87c1e2f5fef6fab501de615fb83a74a0251f/docs/interfaces/AuthorizationCodeGrantChecks.md#maxage) (maybe to 60 seconds) so that the `auth_time` claim is properly validated. I think we can update our [SSO Login integration tests](https://github.com/medic/cht-core/blob/58697bba201371326186e6d15ce39699688993f5/tests/integration/api/controllers/login.spec.js#L316) to include a test for this functionality.

Let me know if anything out there seems off.